Christmas-Themed Malware Starts to Jingle All the Way

07

Dec

2012

Once again cybercriminals take advantage of the Holidays in what seem like a targeted attack against businesses and government organizations. We spotted samples that bore the filename, PROPOSED CHRISTMAS PARTY 2012.doc. Trend Micro detects this as TROJ_ARTIEF.RTN. When executed, this malware drops a file (temp.doc) that acts as decoy to trick recipients into thinking this is a legitimate document. In the document file we spotted, it looks like a supposedly invitation to a certain government office’s upcoming Christmas party.

This backdoor also checks what web browser is used, and creates a hidden process in order to inject its malicious codes. We speculate that this attack uses email message as delivery mechanism in order to penetrate the network of the targeted entity. In our primer, Covert Arrivals: Email’s Role in APT Campaigns, we tackled how email is used by threat actors as one of the entry points of APTs and targeted attacks. These email messages used social engineering techniques to trick users. In this case, the cybercriminals employed Christmas and annual Xmas parties. We’re currently monitoring this threat for any developments.

In the past, we reported various incidents that leveraged the Holidays as seen in the following posts: